Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1 of 24 | Page
CAIdentityManagerProvisioningRunbookforImageWareSystems,Inc.
BiometricAuthenticationService
2 of 24 | Page
LegalNoticeThisDocumentation,which includesembeddedhelpsystemsandelectronicallydistributedmaterials,(hereinafterreferredtoasthe“Documentation”)isforyourinformationalpurposesonlyandissubjecttochangeorwithdrawalbyCAatanytime.
ThisDocumentationmaynotbecopied,transferred,reproduced,disclosed,modifiedorduplicated,inwhole or in part, without the prior written consent of CA. This Documentation is confidential andproprietaryinformationofCAandmaynotbedisclosedbyyouorusedforanypurposeotherthanasmay be permitted in (i) a separate agreement between you and CA governing your use of the CAsoftwaretowhichtheDocumentationrelates;or(ii)aseparateconfidentialityagreementbetweenyouandCA.
Notwithstandingtheforegoing,ifyouarealicenseduserofthesoftwareproduct(s)addressedintheDocumentation, you may print or otherwise make available a reasonable number of copies of theDocumentationforinternalusebyyouandyouremployeesinconnectionwiththatsoftware,providedthatallCAcopyrightnoticesandlegendsareaffixedtoeachreproducedcopy.
The right toprintorotherwisemakeavailable copiesof theDocumentation is limited to theperiodduring which the applicable license for such software remains in full force and effect. Should thelicenseterminateforanyreason,itisyourresponsibilitytocertifyinwritingtoCAthatallcopiesandpartialcopiesoftheDocumentationhavebeenreturnedtoCAordestroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS”WITHOUTWARRANTYOFANYKIND,INCLUDINGWITHOUTLIMITATION,ANYIMPLIEDWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ORNONINFRINGEMENT.INNOEVENTWILLCABELIABLETOYOUORANYTHIRDPARTYFORANYLOSSORDAMAGE,DIRECTORINDIRECT,FROMTHE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOSTINVESTMENT,BUSINESSINTERRUPTION,GOODWILL,ORLOSTDATA,EVENIFCAISEXPRESSLYADVISEDINADVANCEOFTHEPOSSIBILITYOFSUCHLOSSORDAMAGE.
The use of any software product referenced in the Documentation is governed by the applicablelicenseagreementandsuchlicenseagreementisnotmodifiedinanywaybythetermsofthisnotice.
ThemanufacturerofthisDocumentationisCA.
Providedwith“RestrictedRights.”Use,duplicationordisclosurebytheUnitedStatesGovernment issubject to the restrictions set forth in FARSections12.212,52.227-14, and52.227-19(c)(1) - (2) andDFARSSection252.227-7014(b)(3),asapplicable,ortheirsuccessors.
Copyright © 2016 CA. All rights reserved. All trademarks, trade names, service marks, and logosreferencedhereinbelongtotheirrespectivecompanies.
3 of 24 | Page
TableofContentsLegalNotice.......................................................................................................................................2
TableofContents...............................................................................................................................3
Support..............................................................................................................................................4ContactCATechnologies........................................................................................................................................................................4Productdocumentationfeedback.......................................................................................................................................................4Chapter1:Introduction......................................................................................................................5Overview........................................................................................................................................................................................................5Theprovisioningprocess.......................................................................................................................................................................5CAprerequisites...........................................................................................................................................................................................5ImageWareSystems,Inc.prerequisitesforCAcustomers........................................................................................................5
Chapter2:Configure/provisionCAIdentityManager(12.6).............................................................6UsetheSCIMconnectortoacquireImageWareSystemsGMIServerendpoint.............................................................6Createanendpoint.....................................................................................................................................................................................6Createan“exploreandcorrelate”definition..................................................................................................................................9Createaccounttemplates.....................................................................................................................................................................12Createaprovisioningrole....................................................................................................................................................................13SetupPolicyXpress.................................................................................................................................................................................16
Chapter3:ConfiguretheImageWareSystemsGMIServerendpoint................................................17ConnectwithImageWareSystems,Inc.........................................................................................................................................17Tenantrequirements.............................................................................................................................................................................17ImageWarerequirements...................................................................................................................................................................17ImageWareSystem’sGMIAdminPortal.......................................................................................................................................18
Chapter4:TestprovisioningtotheGMIServerendpoint.................................................................19Provisionauser.......................................................................................................................................................................................19Modifyauser............................................................................................................................................................................................19Deprovisionauser..................................................................................................................................................................................19ConfirmthatuserwasprovisionedordeprovisionedintheGMIAdminPortal.........................................................20
Chapter5:ExceptionHandling.........................................................................................................21
Chapter6:Summary........................................................................................................................22
Appendices:CAScalabilityTesting...................................................................................................23AppendixA:TestingChecklist...........................................................................................................................................................23AppendixB:SpecialCharacterTesting..........................................................................................................................................23AppendixC:AdditionalCRUDTesting...........................................................................................................................................23
4 of 24 | Page
SupportThis document is produced by ImageWare Systems, Inc. ([email protected]),onbehalfofCATechnologiesInc.(www.ca.com).
ContactCATechnologies
Foryourconvenience,CATechnologiesprovidesonesitewhereyoucanaccesstheinformationthatyouneedforyourHomeOffice,SmallBusiness,andEnterpriseCATechnologiesproducts.Athttp://ca.com/support,youcanaccessthefollowingresources:
● Onlineandtelephonecontactinformationfortechnicalassistanceandcustomerservices● Informationaboutusercommunitiesandforums● Productanddocumentationdownloads● CASupportpoliciesandguidelines● Otherhelpfulresourcesappropriateforyourproduct
Productdocumentationfeedback
If you have comments or questions about CA Technologies product documentation, you [email protected].
ForfeedbackorquestionsaboutImageWareSystems,[email protected]
5 of 24 | Page
Chapter1:Introduction
Overview
The scope of this document is to provide the necessary steps required to configure theprovisioning endpoint connection between CA Identity Manager 12.6, and the ImageWareSystemsGMIServerendpoint.
Theprovisioningprocess
Theendpointprovisioningprocesscontainsthefollowingsteps:
1. Installandconfiguretheprerequisites
2. ConfigureprovisioningforIdentityManager
3. ConfiguretheServiceProviderendpoint
4. Testtheprovisionedendpoint
CAprerequisites
● InstallCAIdentityManager12.6Suite● Configureuserdirectoryandprovisioningdirectory● CreateanIdentityManagerenvironment● ImportRolesandTasksforSCIMendpointtypes
ImageWareSystems,Inc.prerequisitesforCAcustomers
In order to set up and use the ImageWare out-of-band biometric identity authenticationcomponent,thereareanumberofrequiredprerequisites:
● CustomerhasestablishedatenantrelationshipwithImageWareSystems:● EitherthecustomerhasestablishedatenantrelationshipdirectlywithImageWare;
or● ThecustomerhasattachedthemselvestoCATechnologiesasatenant-client,using
CATechnologies’tenantrelationshipwithImageWareSystems,Inc.● Customer has established an appropriate client credential token for use in creating
(provisioning)andremoving(de-provisioning)usersintheGMIsystem● The ImageWareGMI system is setup for CA IdentityManager integrationby configuring
theGMIUserIDattributeasimmutable● End-user is in possession of a mobile device that has either the GoVerifyID™ mobile
application or a GoVerifyID-enabled application designated for providing biometricenrollmentandverificationthroughtheGMIServersuite
● End-user has enrolled their biometrics to support future CA IdentityManager biometricidentityverificationrequests
6 of 24 | Page
Chapter2:Configure/provisionCAIdentityManager(12.6)
UsetheSCIMconnectortoacquireImageWareSystemsGMIServerendpoint
Createanendpoint
Toacquireanendpoint:
1. LogintoCAIdentityManagerandnavigatetoEndpoints→ManageEndpoints→CreateEndpoint.
2. ClicktheCreateanewendpointofEndpointTypedrop-downmenuandselectSCIM.
3. ClickOK.TheCreateSCIMEndpointformopenswiththeEndpointtabopenbydefault.
4. Enterthefollowingintheappropriatefields:
7 of 24 | Page
FieldName Description
EndpointName Nameofyourendpointasyoudetermineappropriate
Description Optional
SCIMBaseURL https://<GMI_SERVER_FQDN>/gmiserver/v1
SCIMAuthenticationMethod
OAuth2.0withClientCredentials
Username N/A
Password/Confirm N/A
SCIMOAuthTokenEndpointURL
https://<GMI_SERVER_FQDN>/usermanager/oath/token
NOTE:ThisfieldisrequiredwhentheOAuthauthenticationmethodisselected
SCIMOAuthClientID RelevantSCIMOAuthClientID(thisinformationiscustom-definedforapartnerandisavailablebycontactingImageWareSystemsatsupport@iwsinc.com) NOTE:ThisfieldisrequiredwhentheOAuthauthenticationmethodisselected
SCIMOAuthClientSecret
RelevantSCIMOAuthClientSecret(thisinformationiscustom-definedforapartnerandisavailablebycontactingImageWareSystems,[email protected])
SCIMOAuthScope IGNORED,orsomeotherstring(optional) NOTE:ThisfieldisrequiredwhentheOAuthauthenticationmethodisselected
OAuthAdditionalParameters None(optional)
DefaultAccountTemplate
SeeExploreandcorrelatedefinition
5. ClicktheEndpointSettingstab.
8 of 24 | Page
NOTE:ThistabiscustomizedbyCAortherelevantsiteorsystemadministrator.Eachsettingiscustomizedbaseduponthedesiredbehaviorregardingdisablinganddeletingaccountsontheendpoint.
6. Whenanycustomsettingshavebeenenteredonthistab,clicktheAttributeMappingtab.
NOTE:Thistabcanbeoptionallychangedifneeded,butinmostcasesitisrecommendedthatuserskeeptheout-of-boxmapping.
7. Whenanycustomsettingshavebeenenteredonthistab,clickSubmittosaveallendpointsettingsontheCreateSCIMendpointform.
9 of 24 | Page
Createan“exploreandcorrelate”definition
To add users to an endpoint, youmust create an “explore and correlate” definition for thatendpoint. “Explore” identifies the accounts in the endpoint, and “Correlate” matches thoseaccountswitheitherexistingusersinCAIdentityManagerorcreatesthoseusers/accounts.
1. Navigate to Endpoints→ Explore and Correlate Definitions→ Create Explore andCorrelateDefinition.Acreateneworcreatefromcopyformopens.
2. SelectCreateanewobjectoftypeExploreandCorrelateandthenclickOK.ACreate
ExploreandCorrelateDefinitionformopens.
3. EnteranExploreandCorrelateName(thiscanbeanystringoftextrequired).
10 of 24 | Page
4. ClickSelectContainer/Endpoint/Exploremethod.ASelectEndpointformopens.
5. ClicktheSearchforanendpointofEndpointTypedrop-downmenuandselectSCIM.
6. SearchforandSelecttheEndpointcreatedinEndpointcreation.ASelectContainerformopens.
7. ClickSearchandthenplaceacheckmarknexttothecontainersfromwhichyouwishtoacquiredata,suchasAccounts,Groups,andsoforth.
11 of 24 | Page
8. ClickSelect.TheCreateExploreandCorrelateDefinitionformisnowpopulatedwiththedatayouselected.
9. SelectthecorrectExploreandCorrelateactions:
● Exploreendpointformanagedobjects
● Updateuserfields
● Correlateaccountstousers→Createusersasneeded
10. ClickSubmit.Aconfirmationwindowshouldopen.
11. ClickOK.
12. ClickEndpoints→ExecuteExecuteExploreandCorrelate.
13. SelectExecuteNowandthenclickNext.
14. ClickBrowse to locate the Explore and Correlate definition created in this section. ASelectExploreandCorrelateDefinitionformopens.
15. ClickSearch.Alistofpossibleexploreandcorrelatedefinitionsopens.
12 of 24 | Page
16. SelectthecorrectExploreandCorrelateDefinitionandthenclickSelect.
17. ClickFinishtobeginexecution.Aconfirmationwindowshouldopen.
Createaccounttemplates
To simplify accountmanagement, the recommended best practice is to create andmaintainaccounts using Account Templates, which are then used in provisioning Roles. Standardizingaccount maintenance through templates allows the administrator to control which accountattributesareaffiliatedwithwhichEndpointswhenuseraccountsarecreated.
1. Tocreateanaccount template,navigate toEndpoints→ManageAccountTemplates→CreateAccountTemplate.ACreateAccountTemplateformopens.
2. Click the Create a new account template of Endpoint Type drop-down menu and selectSCIM.
3. ClickOK. TheCreate SCIMAccount Template formopenswith theAccount Template tabopenedbydefault.
4. Enter an Account Template Name. This field can be named anything you determineappropriate.
5. ClicktheEndpointstab.
6. ClickAddSCIMEndpoint.TheFindEndpointssearchformopens.
13 of 24 | Page
7. SearchforandSelecttheEndpointcreatedinEndpointcreation.TheCreateSCIMAccountTemplatenowcontainstheselectedendpoint.
8. InregardtotheAccount,AccountContainer,User,Contact,andGroupMembershiptabs:
● Account,User,andContactmappingcanbemodifiedasneeded,butinmostcasesthedefaultvaluesshouldbeused, forexampleusethe%AC%(AccountName) rulestringfortheUserNameattribute.Theusernamevaluemustbemaintainedoverthelifeoftheprovisionedaccountandthereforemustbeanimmutableattributeliketheaccountname.
NOTE: For demonstration purposes inGoVerifyID, the email address isusedforaccountname—thisiswhattheGoVerifyIDapplicationrequiresduring registration. It is expected that integration with an existingIdentity Manager will involve synchronizing this user name valuebetween IdentityManager and the customized GoVerifyID application;anappropriateuserprofileattributeshouldbechosen.
● AccountContainertabshouldremainunchanged
● GroupMembershipcanbeoptionallyconfigured
9. Whenyouhavecompletedanyadditionalchangestothesetabs,clickSubmit.
AConfirmationmessageshouldopen.ClickOK.
Createaprovisioningrole
Aprovisioning role contains one ormore account templates.When you apply that role to auser,theuserreceivestheaccountsthatwerepreviouslydefinedbythetemplates.
1. Tocreateaprovisioningrole,navigatetoRolesandTasks→ProvisioningRoles→CreateProvisioningRole.ACreateneworCreatefromcopyformopens.
2. SelectCreateanewprovisioning role and thenclickOK.ACreateProvisioningRole formopenswiththeProfiletabopenedbydefault.
3. EnteraProfileName.Thisfieldcanbenamedanythingyoudetermineappropriate.
4. ClicktheAccountTemplatestab.
14 of 24 | Page
5. ClickAddAccountTemplate.TheSelectAccountTemplatesearchformopens.
6. FromtheSearchforanaccounttemplateofEndpointTypedrop-downmenu,selectSCIM.
7. Search for and Select the account template created in Create account templates. TheCreateProvisioningRoleform→AccountTemplatestabnowcontainstheselectedaccounttemplate.
8. DonotmakechangestotheProvisioningRolestab.
9. ClicktheAdministratorstab.
Administratorscanaddandremovemembersoftheprovisioningrole.
10. ClickAdd.TheAdminPolicyformopens.
On this form, you can select from a variety of parameters to create administrator roles,privileges,scope,andownershiplevels.Settherulesandguidelinesthatestablishtheuserswho will be administrators of this provisioning role, and which users they can manage.Whenyouhavecompletedaddingadministratorusers,clickOK.
15 of 24 | Page
11. ClicktheOwnerstab.
Ownersareuserswhocanmodifyanddeletetheprovisioningrole.
12. ClickAdd.TheOwnerRuleformopens.
Onthisform,youcanestablishtherulesforwhichuserswillbeownersofthisprovisioningrole.Whenyouhavecompletedaddingownerusers,clickOK.
13. ClickSubmittocompleteaddingthisprovisioningrole.
AConfirmationmessageshouldopen.ClickOK.
16 of 24 | Page
SetupPolicyXpress
Policy Xpress is used to create complex business logic (or policies) in CA Identity Managerwithoutdevelopingcustomcode.ThistoolcanautomateendpointprovisioningbyassigningtheappropriateProvisioningRole(s)wheneveranewUseriscreated.
1. NavigatetoPolicies→PolicyXpress→CreatePolicyXpressPolicy.
2. SelectCreateanewobjectoftypePolicyXpress.
3. OntheProfiletab:
a. Completeallfields,selectingSubmittedTaskasthePolicyType.b. ProvideaCategoryNameorselectonefromthelist.
4. OntheEventstab:
a. SelectTaskStartedastheEventStateb. SelectCreateUserastheEventName
5. OntheActionRulestab:
a. AddActionwhenMatched○ Category:Roles○ Type:SetProvisioningRole○ Function:Add○ ProvisioningRoleName:Selecttheprovisioningroleforyourendpoint
6. Totest:
a. NavigatetoUsers→ManageUsers→CreateUserandthencreateanewuserb. From the endpoint user interface, verify that the new user was automatically
createdonthecorrectendpoint.
NOTE:FormoreinformationonhowtocreatePolicyXpressPolicies,refertothePolicyXpresssectionoftheCAIdentityManagerdocumentation.Thiscanbefoundathttps://wiki.ca.com.
17 of 24 | Page
Chapter 3: Configure the ImageWare Systems GMI Serverendpoint
ConnectwithImageWareSystems,Inc.
FollowthestepsgivenbelowtoconfiguretheImageWareSystemsGoMobileInteractive(GMI)Serverendpoint:
1. Contact ImageWareSystemsSupport team([email protected]) tobegin theprocessofsetting up the ImageWare Systems GMI Server. The sections in this chapter provide ageneraloverviewofwhatthisprocessentailsforbusinesspartners(calledTenants)suchasCATechnologies.
2. SeetheImageWareSystems,Inc.prerequisitesforCAcustomerssectionofthisdocument.
Tenantrequirements
Tenants who use ImageWare's GoVerifyID client application or service and / or GMIserverapplicationlayerwillneedtoremainawareofthefollowingrequirements:
� Tenants must establish a tenant relationship with ImageWare and use the methodsprovidedbyImageWaretoengagewithImageWare'sGMIserverapplayer.
� GMIServerAPIare implementedviaRESTfulHTTPcallsoverSSL.ResponsesareJSON-encoded. EachAPI REST callmadeby tenant’s serversmust contain an authenticatedclientorresourceownerOAuth2.0bearertokengeneratedusingcredentialsprovidedbyImageWareforeachtenantinstallation.
� Tenants are further responsible to provision their authorized end-users through theGMIServerAPI or theGMIAdminPortal (aweb-based interface formanaging Tenantaccounts).
ImageWarerequirements
ImageWarewill:
� Createthetenant’sprofileonImageWareservers.� Create an OAuth 2.0 client credential used by the tenant to access ImageWare GMI
ServerapplicationlayerandutilizetheGMIServerAPIfromthetenant’sclientservers.� Workwith representatives from the tenant to establish Administrative user roles for
bothGMIServerandtheGMIAdminPortal.
18 of 24 | Page
ImageWareSystem’sGMIAdminPortal
WhenTenantsestablisharelationshipwith ImageWareSystems, Inc., theyaregiventheGMIServerSDKcontainingall relevantAPI,andalsoareprovidedwitha login identity totheGMIAdmin Portal. This Admin Portal is aweb interface created for ImageWare’s Tenants, and isusedbytheTenant’sadministrativeuserstomanagethefollowing:
� TheirownTenantaccount� Anyend-usersattachedtotheiraccount,aswellasamechanismtomanageend-user’s:
▪ Messages;and▪ Devices*
� Theirownsystemadministratorcredentials*� Theirownclientservercredentials*;and� Anyapplications*orservicestheyusetocommunicatewithend-users
Some additional, useful features include the ability to push ad-hoc messages to end-users,review end-user statuses at-a-glance, bulk upload and download user lists, run reports onactivity, and add or delete credentials, users, and other required information in a real-time,easy-to-useenvironment.
*NOTE:NotalltenantshavebeengivenaccesstoallGMIAdminPortalrightsandcapabilities.Dependinguponyourdesignatedadministrativeuserrole,youmightnotseeallofthefeaturesdescribedinthissectionwhenusingtheGMIAdminPortal.
19 of 24 | Page
Chapter4:TestprovisioningtotheGMIServerendpoint
Provisionauser
1. ToprovisionauserinCAIdentityManager,navigatetoUsers→ManageUsers→ModifyUser.TheSearchforauserformopens.
2. SearchforandSelecttheUseryouwishtoprovisiontotheGMIendpoint.TheModifyUserformopens,withtheProfiletabopenedbydefault.
3. Enterormodifyanyofthefieldsonthistabasappropriate.
4. ClicktheProvisioningRolestab.Existingusersarelistedonthistab.
5. ClickAddaprovisioningrole.TheSearchforaprovisioningroleformopens.
6. Search for and Select the provisioning role you created inProvisioning Role. TheModifyUserform,ProvisioningRolestabnowcontainstheselecteduserrole.
7. CheckMemberand/orAdministratorcheckboxesforthisprovisioningrole
8. ClickSubmit.AConfirmationmessageshouldopen.ClickOK.
Modifyauser
GMIdoesnotstorePersonally Identifying Information(PII) for individualusers.Theonlydatashared between CA IdentityManager and GMI is theUser Name value defined in Createaccount template. The User Name value is immutable, therefore user modification is notsupported,nornecessary,forCAIdentityManagerprovisioningtoGMI.
Deprovisionauser
1. To deprovision a user in CA Identity Manager, navigate to Users→ Manage Users→ModifyUser.TheSearchforauserformopens.
2. SearchforandSelecttheUseryouwishtodeprovisionfromtheGMIendpoint.TheModifyUserformopens,withtheProfiletabopenedbydefault.
3. ClicktheProvisioningRolestab.Theselectedusershouldbeshownonthistab.
20 of 24 | Page
4. De-select theMemberorAdministrator checkbox for thisuser todeprovision them fromtheendpoint.
5. ClickSubmit.AConfirmationmessageshouldopen.ClickOK.
ConfirmthatuserwasprovisionedordeprovisionedintheGMIAdminPortal
Once you have provisioned (or deprovisioned) an end-user in CA IdentityManager, you canconfirm that the user has been added or removed as an end-user attached to your Tenantaccount in the GMI Admin Portal by navigating to the GMI Admin Portal, Users tab andperformingaSearch<Ctrl+F>orbybrowsingthroughthelistofexistingusersattachedtoyourTenantaccountintheUserstable.
21 of 24 | Page
Chapter5:ExceptionHandlingThefollowingtroubleshootingtipsmaybehelpfultokeepinmindduringsetup:
� TheclientcredentialsmustbevalidfortheGMIserverSCIMendpoint.� Inordertocorrectlyprovisionauser,theusermustnotalreadyexistontheGMIserver.� User names must be unique, therefore an email address or similar identifier is
suggested.� The IdentityManager User-User Name attribute valuemust be identical to theUser-
User Name value the person uses when registering themselves with the appropriateGoVerifyIDorGoVerifyID-compatibleapplication.
22 of 24 | Page
Chapter6:SummaryThefollowingisasummaryofkeystepsintheIdentityManagerprovisioningsetupprocess.
1. ConfigureImageWareSystems’GMIServertenanttorepresenttheCAIdentityManageruserbase.
2. Gather the client credentials and GMI Server SCIM endpoint details for use inconfiguringCAIdentityManager.
3. UsingCAIdentityManager'sadministrativeuserinterface,createtheappropriateSCIMendpointandassociatedAccountTemplateandProvisioningRoletodefineprovisioningfromIdentityManagertoGMIServer.
23 of 24 | Page
Appendices:CAScalabilityTesting
AppendixA:TestingChecklist
Scalability testing performed with test servers at CA in conjunction with the GMI SCIMinterface:
Test Name Complete # Users Time Result/CommentsExplore and Correlate against Endpoint � 250,000 ~6hours 250,000+userssuccessfullycorrelatedtoCAIM.
Bulk Load – Provisioning Create Users � 10,000 ~1hour
7oftotalwerenotprovisionedinCAIMandcorrectlynotprovisionedinGMI.Allotherssuccessfullyprovisioned.
Bulk Load – Provisioning Modify Users � N/A.GMIdoesnothaveanyattributesforPerson
Identitythatcanbemodified.Bulk Load – Provisioning Delete Users � 1,000 minutes Alluserssuccessfullydeleted.
Special Character Testing (See Appendix B) �
Additional CRUD Testing (See Appendix C) �
AppendixB:SpecialCharacterTesting
� CreateUsers in IMwithSpecialCharacters inthefieldsthatwillbeprovisionedtotheendpoint.
� Make sure to test users with the following characters:, \ / ! @ # $ % & * ( ) - _ + = ‘ “ : ; [ ] { } < > ^ ~ . ? |
○ The GMI System has a more limited set of special characters supported forUserID(whichistheonlyfieldprovisionedfromCAtoGMI).Thosecharactersare@ . _
� Provision,Update,andDe-Provisionthoseuserstotheendpoint.○ Testedsuccessfully.
AppendixC:AdditionalCRUDTesting
In addition to previous Create, Read, Update, and Delete (CRUD) testing that has beencompleted,itisimportanttoalsotestthefollowingasitappliestoyourendpoint:
� Delete and recreate the same users. Ensure that users are deleted and recreatedproperlyontheendpoint.
○ Testedsuccessfully.� Lockandsuspendusers.Ensurethattheseattributesaresetproperlyontheendpoint.
○ ThisdoesnotapplytoGMISystemintegration.
24 of 24 | Page
NOTE:ThisdoesnotapplytoGMISystemintegrationbecauselockedandsuspendedusersaremanagedbyCAIdentityManager,theSSOsystem,orotherCAsoftware.GMIprovidesuserbiometricidentityvalidationandauthenticationorrejectiontoCA.CAisresponsibleforgrantingtheuseraccesstoappropriateapplicationsbasedupontheirpermissions,specificallyuserstatus(active,locked,orsuspended).
� Passwordchanges,includingmustchangeonnextlogin,andpasswordexpired.Ensurethatthepasswordisresetandthattheseattributesaresetproperlyontheendpoint.
○ ThisdoesnotapplytoGMISystemintegration.
NOTE:ThisdoesnotapplytoGMISystemintegrationbecausepasswordpoliciesandrulesaremanagedbyCAIdentityManager,theSSOsystem,orotherCAsoftware.GMIprovidesuserbiometricidentityvalidationandauthenticationorrejectiontoCA.CAisresponsibleforgrantingtheuseraccesstoappropriateapplicationsbasedupontheirpermissions,specificallytheuser’spasswordpolicies.
� Relationship associations between primary object and secondary object (i.e.account/group). Ensure that these relationships are set and removedproperly on theendpoint.
○ ThisdoesnotapplytoGMISystemintegration.
NOTE:ThisdoesnotapplytoGMISystemintegrationbecauseprimaryandsecondaryobjects(suchasaccountsandgroups)aremanagedbyCAIdentityManager,theSSOsystem,orotherCAsoftware.GMIprovidesuserbiometricidentityvalidationandauthenticationorrejectiontoCA.CAisresponsibleforgrantingtheuseraccesstoappropriateapplicationsbasedupontheirpermissions,specificallypermissionsrelatedtotheirgroupmembership(s).
ItisimportanttoalsonotethatGMIdoesnotmanageormakeuseofgroups.GroupsandgroupmembershipareentirelytheresponsibilityofCA/CAsoftware.